Pune businessmen lose Rs 14 crore to email spoofing

PUNE: Since January this year, the city police and the cybercrime branch have logged 16 cases of email spoofing in which businessmen from the city have lost a total of Rs 14.47 crore. The cops are doing their best to track down the culprits.

A Bavdhan-based small entrepreneur, wanting to buy a few earth-moving machines, contacted a prominent Germany-based company. The two parties subsequently entered into an agreement. Upon his return, the businessman received an email which appeared to be from the German company, requesting urgent payment. As the email seemingly contained all the right details with regards to the company, he transferred Rs 1.82 crore to the bank account provided.

That was when he found out he was defrauded. When he called up, the company denied receiving the payment. He then cross-checked all the details and discovered — too late — that somebody, using a fraudulent email address that was very close to the official one, quoted a different bank account number. The victim reported this to the Hinjewadi police, who registered the complaint. Subsequent investigations revealed that the money was routed through Poland to a Nigeria-based account.

In a similar case, a businessman from Pimpri traveled to the US and struck a deal with a company there for the purchase of some machinery. He was supposed to transfer the payment to the company following which, they would ship the machinery. He received an email bearing the company's name. It contained the invoice and a bank account number.

Accordingly, he transferred 1.76 lakh USD to that account. But he soon realized his money was routed into another account. Before he could react, the entire sum was withdrawn by someone in Ghana.

The above two cases fall under 'email spoofing' wherein the original email address is forged so that the email appears to have come from a legitimate source but in truth, has originated from someone or somewhere other than the actual source. This is a tactic used commonly to cheat people. A majority of the cheats are based in foreign countries.

Sunil Pawar, senior cybercrime branch inspector, said email spoofing is a major B2B (Business to Business) crime to which many businessmen have fallen prey and have lost heavily. "Very few individuals are affected. The suspects target the business community only," Pawar said.

The suspects send emails similar to the ones which the business executive was expecting. "The suspects only introduce minor changes like a dot or a numerical figure in the email id. Otherwise, the email and the design of the bill remains the same. The suspects also change bank account numbers mentioned in the invoices to obtain the money fraudulently," he said.

Only four businessmen, said Pawar, managed to spot these minor discrepancies. While there was no loss of money, those four cases too have been registered with the cybercrime branch. "They tallied the account number provided by the company against what they received in the email," he said.

On how these emails are designed to such perfection, Pawar said it is suspected that the suspects hack the email sent by the companies to their clients from whom money is expected, and such emails are replicated with only minor changes. According to Gaurav Jachak, an advocate and a cybercrime expert, at first glance the email looks official. "Actually the email is hijacked in such cases and a lookalike email is prepared with changes in the bank account numbers," he said.

Jachak said that some illegal hackers have even obtained domain names matching the names of a few globally reputed companies. "Such domain names are used to fool clients of prominent companies," he said. Many a times, the suspects send out emails claiming their operations in one country have halted, and provide the address of another country where they request the money transferred," he said.

It is very difficult to track down the suspects in these big fraud cases. "Money is transferred to one country and withdrawn from another country in quick time. In such cases, police cannot do much," Pawar said.